Cisco IOS Cookbook 中文精簡版 17-23 SNMP

 17.1.  配置SNMP
提問 FONT-FAMILY: 宋體">在路由器上啓用基本的SNMP服務
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server community ORARO ro
Router(config)#snmp-server community ORARW rw
Router(config)#end
Router#
從12.0以後啓用了另一種配置方式
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server group COOKRO v1
Router(config)#snmp-server user TESTRO1 COOKRO v1
Router(config)#snmp-server group BOOKRO v2c
Router(config)#snmp-server user TESTRO2 BOOKRO v2c
Router(config)#end
註釋 注意的是這裏啓用的僅僅是簡單SNMP服務，只會響應SNMP的GET和SET請求，不會發送SNMP traps informs.由於SNMP V1和V2c都是明文傳輸community值所以需要後續的一些安全限制。show snmp group可以用來驗證
17.2.  通過SNMP工具獲得路由器信息
註釋 可以使用snmpget， snmpwalk，snmpset命令直接對MIB進行查詢，建議使用Solarwinds等圖形化工具，暫略。
思科MIBs信息：http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
17.3.  爲SNMP訪問配置一些路由器重要信息
提問 爲SNMP訪問提供類似路由器位置，序列號等重要信息
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server contact Ian Brown 416-555-2943
Router(config)#snmp-server location 999 Queen St. W., Toronto, Ont.
Router(config)#snmp-server chassis-id JAX123456789
Router(config)#end
Router#
註釋 無
17.4.       使用SNMP獲得批量路由設備信息
註釋 使用perl腳本來進行批量化操作，暫略
17.5.  使用控制列表來限制SNMP訪問
提問 使用控制列表的方式來提高SNMP訪問的安全性
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1      
Router(config)#access-list 99 deny any
Router(config)#snmp-server community ORARO ro 99
Router(config)#access-list 98 permit 172.25.1.0 0.0.0.255            
Router(config)#snmp-server community ORARW rw 98
Router(config)#end
Router#
SNMP Group的方法
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1      
Router(config)#access-list 99 deny any
Router(config)#snmp-server group COOKRO v1 access 99
Router(config)#snmp-server user TESTRO1 COOKRO v1   
Router(config)#end
Router#
從12.3(2)T以後支持命名控制列表
Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip access-list standard SNMPACL        
Router2(config-std-nacl)#permit 172.25.1.0 0.0.0.255            
Router2(config-std-nacl)#permit host 10.1.1.1
Router2(config-std-nacl)#deny any
Router2(config-std-nacl)#snmp-server community ORARO1 ro SNMPACL
Router2(config)#end
Router2#
註釋 無
17.6.  記錄非授權的SNMP嘗試
提問 對非授權的SNMP嘗試進行日誌記錄
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 permit host 10.1.1.1
Router(config)#access-list 99 deny any log
Router(config)#snmp-server community ORARO ro 99
Router(config)#snmp-server community ORARW rw 99
Router(config)#end
Router#
註釋
Router#show access-list 99
Standard IP access list 99
    permit 10.1.1.1  (1293 matches)
    permit 172.25.1.0, wildcard bits 0.0.0.255 (630 matches)
    deny   any log (17 matches)
Router#show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: disabled
    Monitor logging: level debugging, 26 messages logged
        Logging to: vty2(0)
    Buffer logging: level debugging, 49 messages logged
    Trap logging: level informational, 53 message lines logged
        Logging to 172.25.1.1, 53 message lines logged
        Logging to 172.25.1.3, 53 message lines logged
         
Log Buffer (4096 bytes):
Apr 15 22:33:21: %SEC-6-IPACCESSLOGS: list 99 denied 192.168.22.13 1 packet
Apr 15 22:39:18: %SEC-6-IPACCESSLOGS: list 99 denied 10.121.212.11 3 packets
Router#
17.7.  限制MIB訪問
提問 限制特定的MIB可以被SNMP來訪問
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router(config)#access-list 99 deny any log
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server community ORARO view ORAVIEW ro 99
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server community ORARW view RESTRICTED rw 99
Router(config)#end
Router#
SNMP Group方式
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view ORAVIEW mib-2 included
Router(config)#snmp-server view ORAVIEW at excluded
Router(config)#snmp-server view ORAVIEW cisco included
Router(config)#snmp-server group TEST v1 read ORAVIEW
Router(config)#snmp-server user ORARO TEST v1
Router(config)#snmp-server view RESTRICTED lsystem.55 included
Router(config)#snmp-server group TEST2 v1 write RESTRICTED
Router(config)#snmp-server user ORARW TEST2 v1
Router(config)#end
Router#
註釋
Router#show snmp view
ORAVIEW mib-2 - included nonvolatile active
ORAVIEW at - excluded nonvolatile active
ORAVIEW cisco - included nonvolatile active
v1default internet - included volatile active
v1default internet.6.3.15 - excluded volatile active
v1default internet.6.3.16 - excluded volatile active
v1default internet.6.3.18 - excluded volatile active
RESTRICTED cisco - included nonvolatile active
RESTRICTED lsystem.55 - included nonvolatile active
Router#
17.8.  使用SNMP來修改路由器當前配置
提問 使用SNMP來下載或者上傳路由器配置文件
回答
以安裝了NETSNMP的Freebsd爲例
首先路由器啓用SNMP
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server community ORARW rw
Router(config)#end
下載配置
Freebsd% touch /tftpboot/router.cfg
Freebsd% chmod 666 /tftpboot/router.cfg
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.55.172.25.1.1 s router.cfg
enterprises.9.2.1.55.172.25.1.1 = "router.cfg"
Freebsd%
修改配置後上傳保存
Freebsd% echo "no ip source-route" > /tftpboot/new.cfg
Freebsd% echo "end" >> /tftpboot/new.cfg
Freebsd% chmod 666 /tftpboot/new.cfg
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.53.172.25.1.1 s new.cfg
enterprises.9.2.1.53.172.25.1.1 = "new.cfg"
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.1.54.0 i 1
enterprises.9.2.1.54.0 = 1
Freebsd%
註釋 .1.3.6.1.4.1.9.2.1.55是思科MIB中發送當前配置文件的OID值，172.25.1.1是TFTP服務器地址。在修改配置文件時候注意最後要加上end命令，注意這時的OID是.1.3.6.1.4.1.9.2.1.53。最後一個snmpset命令是對上傳配置進行保存。當然上述操作都可以使用Solarwinds軟件實現
17.9.  使用SNMP來升級IOS
提問 通過SNMP來遠端升級路由器IOS
回答
首先路由器配置
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server community ORARW rw
Router(config)#end
下載當前的IOS
Freebsd% touch /tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd% chmod 666 /tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.9.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin
enterprises.9.2.10.9.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"
Freebsd%
升級IOS
Freebsd% chmod 666 /tftpboot/c2600-jk9o3s-mz.122-7a.bin
Freebsd% snmpset v1 -c ORARW Router .1.3.6.1.4.1.9.2.10.6.0 i 1
enterprises.9.2.10.6.0 = 1
Freebsd% snmpset v1 -c ORARW Router.1.3.6.1.4.1.9.2.10.12.172.25.1.1 s c2600-jk9o3s-mz.122-7a.bin
enterprises.9.2.10.12.172.25.1.1 = "c2600-jk9o3s-mz.122-7a.bin"
Freebsd%
註釋 例子中的Router是路由器的機器名也可以使用IP地址，.1.3.6.1.4.1.9.2.10.9.是相應的OID。在對IOS升級的時候第一步做的是清除Flash，第二步纔是上傳IOS。這種可以使用腳本來實現IOS的集中管理。
17.10.  使用SNMP來進行批量的配置修改
註釋 使用perl腳本來進行批量化操作，暫略
17.11.  避免非授權的配置修改
提問 只允許特定的設備來通過SNMP和TFTP來發送和接收配置信息
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log       
Router(config)#snmp-server tftp-server-list 92
Router(config)#snmp-server community ORARW rw
Router(config)#end
Router#
從12.3(2)T開始支持命名控制列表
Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ip access-list standard TFTPACL        
Router2(config-std-nacl)#permit 172.25.1.1
Router2(config-std-nacl)#deny any log        
Router2(config-std-nacl)#exit
Router2(config)#snmp-server tftp-server-list TFTPACL
Router2(config)#snmp-server community ORARW rw
Router2(config)#end
Router2#
註釋 要注意的是這裏限制的僅僅是通過SNMP發起的TFTP會話，對其他的文件傳輸不受影響。另外這裏的控制列表是全局性的，不能針對特定的community值
17.12.  保持接口表名的永久性
提問 即使重啓也能保證SNMP使用相同的接口名
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server ifindex persist
Router(config)#end
Router#
也可以對單獨接口:
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface Serial0/0
Router(config-if)#snmp ifindex persist
Router(config-if)#exit
Router(config)#end
Router#

註釋 很多工程師不知道內部SNMP接口號是會變的，這樣在進行查詢的時候會出錯，比如下面的例子，FastEthernet1/0的ifindex是5
Freebsd% snmpwalk v1 -c ORARO Router ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = "BRI0/0"
interfaces.ifTable.ifEntry.ifDescr.2 = "Ethernet0/0"
interfaces.ifTable.ifEntry.ifDescr.3 = "BRI0/0:1"
interfaces.ifTable.ifEntry.ifDescr.4 = "BRI0/0:2"
interfaces.ifTable.ifEntry.ifDescr.5 = "FastEthernet1/0"
interfaces.ifTable.ifEntry.ifDescr.6 = "Null0"
interfaces.ifTable.ifEntry.ifDescr.7 = "Loopback0"
重啓以後再查詢就變成2了
Freebsd% snmpwalk v1 -c ORARO Router ifDescr
interfaces.ifTable.ifEntry.ifDescr.1 = "Ethernet0/0"
interfaces.ifTable.ifEntry.ifDescr.2 = "FastEthernet1/0"
interfaces.ifTable.ifEntry.ifDescr.3 = "Null0"
interfaces.ifTable.ifEntry.ifDescr.4 = "Loopback0"
這樣就會給網管造成困難
17.13.  啓用SNMP Traps和Informs
提問 配置路由器針對特定事件產生Traps或者Informs
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server enable traps
Router(config)#snmp-server host 172.25.1.1 ORATRAP config entity envmon hsrp
Router(config)#snmp-server host nms.oreilly.com ORATRAP bgp snmp envmon
Router(config)#end
Router#
從SNMP v2c開始路由器支持SNMP Informs
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server enable informs
Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP snmp envmon
Router(config)#end
Router#
註釋 這裏的Traps是路由器主動提供的，不是針對SNMP request的響應。可以snmp-server enable traps envmon 來發送特定的TRAPS，也可以針對不同的NMS主機發送不同的traps
17.14.  以SNMP Trap的形式發送Syslog
提問 把Syslog封裝成SNMP Traps或者Informs
回答
Traps
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable traps syslog
Router(config)#snmp-server host 172.25.1.1 ORATRAP syslog
Router(config)#end
Router#
Informs
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#logging history informational
Router(config)#snmp-server enable informs
Router(config)#snmp-server host 172.25.1.1 informs version 2c ORATRAP syslog
Router(config)#end
Router#

註釋 Router#clear counters
Clear "show interface" counters on all interfaces [confirm]
Router#
May 28 10:07:04: %CLEAR-5-COUNTERS: Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)
上述的Syslog信息會變成下面的SNMP消息
Freebsd% tail snmptrapd.log
May 28 10:07:04 freebsd snmptrapd[77759]: 172.25.25.1: Enterprise Specific Trap (1) Uptime: 18 days, 22:35:26.99, enterprises.9.9.41.1.2.3.1.2.118 = "CLEAR", enterprises.9.9.41.1.2.3.1.3.118 = 6, enterprises.9.9.41.1.2.3.1.4.118 = "COUNTERS", enterprises.9.9.41.1.2.3.1.5.118 = "Clear counter on all interfaces by ijbrown on vty0 (172.25.1.1)", enterprises.9.9.41.1.2.3.1.6.118 = Timeticks: (163652698) 18 days, 22:35:26.98
Freebsd%

17.15.  設定SNMP包大小
提問 修改缺省的SNMP包大小
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server packetsize 1480
Router(config)#end
Router#
註釋 缺省爲1500字節
17.16.  設定SNMP隊列大小
提問 增加SNMP Trap隊列大小
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server queue-length 25
Router(config)#snmp-server inform pending 40
Router(config)#end
Router#
註釋 缺省對Trap的隊列是10個trap消息，對Inform是25個。可以通過show snmp來查看隊列配置和丟棄的Trap包
17.17.  設定SNMP 超時時長
提問 調整SNMP Trap的超時時長
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server trap-timeout 60
Router(config)#snmp-server inform timeout 120
Router(config)#end
Router#
註釋 準確說是重傳等待時長
17.18.  禁止端口的Up/Down Traps
提問 忽略特定端口的鏈路狀態告警
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#interface Serial0/0
Router(config-if)#no snmp trap link-status
Router(config-if)#exit
Router(config)#end
Router#
註釋 比如特定的撥號接口等
17.19.  設定SNMP Traps的源發送地址
提問 設定SNMP Traps消息的源發送地址
回答
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server host 172.25.1.1 ORATRAP
Router(config)#snmp-server trap-source loopback0
Router(config)#end
Router#
註釋 無
17.20.  使用RMON來發送Traps
提問 實現當CPU超過警戒後發送trap或者其他重要事件發送trap
回答
CPU超過特定閥值
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#rmon event 1 log trap ORATRAP description "CPU on Router has exceeded threshold" owner ijbrown
Router(config)#rmon event 2 log description "CPU on Router has normalized" owner ijbrown         
Router(config)#rmon alarm 1 lsystem.57.0 60 absolute rising-threshold 70 1 falling-threshold 40 2 owner ijbrown
Router(config)#end
Router#
內存利用超過特定閥值
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#rmon event 4 log trap ORATRAP description "Low memory condition on Router" owner ijbrown    
Router(config)#rmon event 5 log trap ORATRAP description "Low Memory condition cleared on Router" owner ijbrown
Router(config)#rmon alarm 3 lsystem.8.0 60 absolute rising-threshold 1500000 5 falling-threshold 1000000 4 owner ijbrown
Router(config)#end
Router#
鏈路利用率超過固定閥值
er#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#rmon event 6 log trap ORATRAP description "Bandwidth utilization has exceeded threshold on Router interface Serial 0/0" owner ijbrown
Router(config)#rmon event 7 log trap ORATRAP description "Bandwidth utilization has normalized on Router interface Serial 0/0" owner ijbrown
Router(config)#! Configure inbound alarm on Serial0/0 (ifNumber 3)
Router(config)#rmon alarm 4 lifEntry.6.3 300 absolute rising-threshold 1000000 6 falling-threshold 800000 7 owner ijbrown
Router(config)#! Configure outbound alarm on Serial0/0 (ifNumber 3)
Router(config)#rmon alarm 5 lifEntry.8.3 300 absolute rising-threshold 1000000 6 falling-threshold 800000 7 owner ijbrown
Router(config)#end
Router#
註釋 路由器內置了這種廉價的監控方案
Router>show rmon events
Event 1 is active, owned by ijbrown
Description is CPU on Router has exceeded threshold
Event firing causes log and trap to community ORATRAP, last fired 00:00:00
Event 2 is active, owned by ijbrown
Description is CPU on Router has normalized
Event firing causes log, last fired 2w2d
Current log entries:
      index       time   description
          1       2w2d   CPU on Router has normalized
Router>
17.21.  啓用SNMPv3
提問 啓用SNMPv3提供安全性
回答
(noAuthNoPriv):
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group NOTSAFE v3 noauth read TESTV3
Router(config)#snmp-server user WEAK NOTSAFE v3
Router(config)#end
Router#
(authNoPriv):
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user cking ORAROV3 v3 auth md5 daytona19y
Router(config)#end
Router#
(authPriv)
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#snmp-server view TESTV3 mib-2 include
Router(config)#snmp-server group ORAROV3 v3 auth read TESTV3
Router(config)#snmp-server user bpugsley ORAROV3 v3 auth md5 hockeyrules priv des56 shortguy
Router(config)#end
Router#

註釋 v3最大的優點就是增加了安全性，有例子中三種模式可以選擇
17.22.  高強度SNMPv3加密
提問 增強V3的加密
回答
從12.4(2)T開始增強了加密方法
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv 3des privpass
Router1(config)#end                                                                       
Router1#
或者
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#snmp-server user wbrejniak ORAROV3 v3 auth md5 authpass priv aes 128 privpass
Router1(config)#end
Router1#
註釋 無
17.23.       使用 SAA
提問 配置路由器自動輪詢另一臺設備來獲得性能統計
回答
Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#rtr responder
Router1(config)#rtr 10
Router1(config-rtr)#type echo protocol ipIcmpEcho 10.1.2.3
Router1(config-rtr)#tag ECHO_TEST
Router1(config-rtr)#threshold 1000
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 10 life 2147483647 start-time now
Router1(config)#rtr 20
Router1(config-rtr)#type jitter dest-ipaddr 10.1.2.3 dest-port 99 num-packets 100
Router1(config-rtr)#tag JITTER_TEST
Router1(config-rtr)#frequency 300
Router1(config-rtr)#exit
Router1(config)#rtr schedule 20 life 100000 start-time now ageout 3600
Router1(config)#exit
Router1#
目標路由器，用來響應SAA測試
Router2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#rtr responder
Router2(config)#exit
Router2#
註釋 無